Kubernetes IstIO出口网关给出HTTP 503错误
我有以下清单用于部署IstIO出口网关路由:Kubernetes IstIO出口网关给出HTTP 503错误,kubernetes,istio,Kubernetes,Istio,我有以下清单用于部署IstIO出口网关路由: --- apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: REDACTED-egress-se spec: hosts: - sahfpxa.REDACTED ports: - number: 8080 name: http-port protocol: HTTP resolution: DNS --- api
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: REDACTED-egress-se
spec:
hosts:
- sahfpxa.REDACTED
ports:
- number: 8080
name: http-port
protocol: HTTP
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: sahfpxa-REDACTED-egress-gw
spec:
selector:
istio: egressgateway
servers:
- port:
number: 8080
name: http
protocol: HTTP
hosts:
- sahfpxa.REDACTED
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: egressgateway-for-sahfpxa-REDACTED
spec:
host: istio-egressgateway.istio-system.svc.cluster.local
subsets:
- name: sahfpxa
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: direct-sahfpxa-REDACTED-through-egress-gateway
spec:
hosts:
- sahfpxa.REDACTED
gateways:
- REDACTED/REDACTED-egress-gw
- mesh
http:
- match:
- gateways:
- mesh
port: 8080
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: sahfpxa
port:
number: 80
weight: 100
- match:
- gateways:
- REDACTED/sahfpxa-REDACTED-egress-gw
port: 8080
route:
- destination:
host: sahfpxa.REDACTED
port:
number: 8080
weight: 100
但是我从受影响名称空间的sidecar istio代理容器Pod中得到一个拒绝的连接,并从该名称空间的工作负载容器中得到一个HTTP 503错误
你知道配置有什么问题吗?或者我如何调试它
提前谢谢
致以最良好的祝愿,
rforberger部署清单中几乎没有错误,例如
DestinationRule
没有指向您的ServiceEntry
您可以尝试将您的清单文件与这些清单文件相匹配:
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: etth
spec:
hosts:
- etth.pl
ports:
- number: 8080
name: http-port
protocol: HTTP
resolution: DNS
您可以检查以下位置中是否存在路由:
istioctl pc routes$(kubectl get pods-l istio=egressgateway-o jsonpath='{.items[0].metadata.name}'-n istio system.istio system-o json
$ istioctl pc routes $(kubectl get pods -l istio=egressgateway -o jsonpath='{.items[0].metadata.name}' -n istio-system).istio-system -o json
[
{
"name": "http.80",
"virtualHosts": [
{
"name": "etth.pl:80",
"domains": [
"etth.pl",
"etth.pl:80"
],
"routes": [
{
"match": {
"prefix": "/",
"caseSensitive": true
},
"route": {
"cluster": "outbound|8080||etth.pl",
"timeout": "0s",
"retryPolicy": {
"retryOn": "connect-failure,refused-stream,unavailable,cancelled,resource-exhausted,retriable-status-codes",
"numRetries": 2,
"retryHostPredicate": [
{
"name": "envoy.retry_host_predicates.previous_hosts"
}
],
"hostSelectionRetryMaxAttempts": "5",
"retriableStatusCodes": [
503
]
},
"maxGrpcTimeout": "0s"
},
"metadata": {
"filterMetadata": {
"istio": {
"config": "/apis/networking/v1alpha3/namespaces/default/virtual-service/direct-cnn-through-egress-gateway"
}
}
},
"decorator": {
"operation": "etth.pl:8080/*"
},
"typedPerFilterConfig": {
"mixer": {
"@type": "type.googleapis.com/istio.mixer.v1.config.client.ServiceConfig",
"disableCheckCalls": true,
"mixerAttributes": {
"attributes": {
"destination.service.host": {
"stringValue": "etth.pl"
},
"destination.service.name": {
"stringValue": "etth.pl"
},
"destination.service.namespace": {
"stringValue": "default"
}
}
},
"forwardAttributes": {
"attributes": {
"destination.service.host": {
"stringValue": "etth.pl"
},
"destination.service.name": {
"stringValue": "etth.pl"
},
"destination.service.namespace": {
"stringValue": "default"
}
}
}
}
}
}
]
}
],
"validateClusters": false
},
{
"virtualHosts": [
{
"name": "backend",
"domains": [
"*"
],
"routes": [
{
"match": {
"prefix": "/stats/prometheus"
},
"route": {
"cluster": "prometheus_stats"
}
}
]
}
]
}
]
嗨,1。您能否更具体地说明如何获得连接拒绝错误?您使用了什么特定命令,从何处开始?2.注入的部署吊舱是否可以从集群/命名空间中访问?3.你们有什么istio版本?嗨@PiotrMalec 1。我从我的工作负载容器的特使侧车获得拒绝的连接,我希望从该侧车通过出口网关到达外部服务sahfpxa.redact。2.你是说如果我能从另一个吊舱到达注入的部署吊舱?3.Istio 1.4.0(刚刚升级,但问题仍然存在)很抱歉,我对此问题的源和目标服务有点困惑。因此,使用集群检查服务是否可访问毫无意义。而是检查是否可以从群集节点访问外部服务。您是否尝试过将
curl
与--verbose
选项一起使用?它的HTTP
协议,因此可能有一些有用的信息。Hi@PiotrMalec外部服务可以从集群节点,也可以从出口网关pod访问。Curl--verbose显示以下内容:*正在尝试10.224.19.37:8080…*TCP#U节点延迟集*连接到sahfpxa.REDACTED(10.224.19.37)端口8080(#0)>POST/REDACTED HTTP/1.1>主机:sahfpxa.REDACTED:8080>用户代理:curl/7.66.0>接受://*>*将捆绑包标记为不支持多用途
尝试在spec
下添加位置:MESH_EXTERNAL
用于服务条目
命名的编辑的出口se
。Hi@piotrmalec我尝试了您建议的示例,就像您发布的带有固定编辑部分的示例一样,但仍然收到HTTP 503错误。我看到路由使用的是istioctl pc routes$(kubectl get pods-l istio=egressgateway-o jsonpath='{.items[0].metadata.name}'-n istio system.istio system-o json
)。例如:`。。。“路由”:{“集群”:“出站| 8080 | | sahfpxa.redated”,“超时”:“0s”,…`如果删除使用此清单创建的所有对象,是否也会出现503错误?在我的istio集群中,如果我没有定义任何服务条目,并且集群策略为模式:ALLOW_any
我可以访问任何端口上的所有外部服务。例如:从注入特使的应用程序盒中,我可以执行curl-vhttp://10.240.0.11:1337/
这是在1337端口上托管helloworld的同一VPC网络中我的群集旁边的vm。如果没有,可能有什么东西阻止了您与群集的连接。如果我删除所有清单,我仍然会收到HTTP 503错误。尽管当我直接从kubernetes主机执行curl命令时,我从外部服务。所以实际上连接不应该被阻塞…看起来像是防火墙问题。你使用的是firewalld
?我们没有使用firewalld,它在节点上被禁用。但是已经部署了一些iptables规则,这些规则是kubernetes/weave网络层自动部署的。
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: direct-cnn-through-egress-gateway
spec:
hosts:
- etth.pl
gateways:
- istio-egressgateway
- mesh
http:
- match:
- gateways:
- mesh
port: 80
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: etth
port:
number: 80
weight: 100
- match:
- gateways:
- istio-egressgateway
port: 80
route:
- destination:
host: etth.pl
port:
number: 8080
weight: 100
$ istioctl pc routes $(kubectl get pods -l istio=egressgateway -o jsonpath='{.items[0].metadata.name}' -n istio-system).istio-system -o json
[
{
"name": "http.80",
"virtualHosts": [
{
"name": "etth.pl:80",
"domains": [
"etth.pl",
"etth.pl:80"
],
"routes": [
{
"match": {
"prefix": "/",
"caseSensitive": true
},
"route": {
"cluster": "outbound|8080||etth.pl",
"timeout": "0s",
"retryPolicy": {
"retryOn": "connect-failure,refused-stream,unavailable,cancelled,resource-exhausted,retriable-status-codes",
"numRetries": 2,
"retryHostPredicate": [
{
"name": "envoy.retry_host_predicates.previous_hosts"
}
],
"hostSelectionRetryMaxAttempts": "5",
"retriableStatusCodes": [
503
]
},
"maxGrpcTimeout": "0s"
},
"metadata": {
"filterMetadata": {
"istio": {
"config": "/apis/networking/v1alpha3/namespaces/default/virtual-service/direct-cnn-through-egress-gateway"
}
}
},
"decorator": {
"operation": "etth.pl:8080/*"
},
"typedPerFilterConfig": {
"mixer": {
"@type": "type.googleapis.com/istio.mixer.v1.config.client.ServiceConfig",
"disableCheckCalls": true,
"mixerAttributes": {
"attributes": {
"destination.service.host": {
"stringValue": "etth.pl"
},
"destination.service.name": {
"stringValue": "etth.pl"
},
"destination.service.namespace": {
"stringValue": "default"
}
}
},
"forwardAttributes": {
"attributes": {
"destination.service.host": {
"stringValue": "etth.pl"
},
"destination.service.name": {
"stringValue": "etth.pl"
},
"destination.service.namespace": {
"stringValue": "default"
}
}
}
}
}
}
]
}
],
"validateClusters": false
},
{
"virtualHosts": [
{
"name": "backend",
"domains": [
"*"
],
"routes": [
{
"match": {
"prefix": "/stats/prometheus"
},
"route": {
"cluster": "prometheus_stats"
}
}
]
}
]
}
]